Auth: Openfga driver followup

lxd/auth/authorization.go

@@ -18,7 +18,7 @@ const (
 	DriverTLS string = "tls"
 
 	// DriverEmbeddedOpenFGA is the default authorization driver. It currently falls back to DriverTLS for all TLS
-	// clients. It cannot be initialised until after the cluster database to be operational.
+	// clients. It cannot be initialised until after the cluster database is operational.
 	DriverEmbeddedOpenFGA string = "embedded-openfga"
 )
 

lxd/db/cluster/entities.go

@@ -1148,7 +1148,7 @@ func GetEntityReferenceFromURL(ctx context.Context, tx *sql.Tx, entityURL *api.U
 		return nil, fmt.Errorf("Failed to get entity ID from URL: %w", err)
 	}
 
-	// Populate the result map.
+	// Populate the fields we know from the URL.
 	entityRef := &EntityRef{
 		EntityType:  EntityType(entityType),
 		ProjectName: projectName,
@@ -1168,6 +1168,9 @@ func GetEntityReferenceFromURL(ctx context.Context, tx *sql.Tx, entityURL *api.U
 		return nil, fmt.Errorf("Could not get entity ID from URL: No statement found for entity type %q", entityType)
 	}
 
+	// The first bind argument in all entityIDFromURL queries is an index that we use to correspond output of large UNION
+	// queries (see PopulateEntityReferencesFromURLs). In this case we are only querying for one ID, so the `0` argument
+	// is a placeholder.
 	args := []any{0, projectName, location}
 	for _, pathArg := range pathArgs {
 		args = append(args, pathArg)

lxd/db/openfga.go

@@ -191,7 +191,10 @@ func (o *openfgaStore) ReadUserTuple(ctx context.Context, store string, tk *open
 }
 
 // ReadUsersetTuples is called on check requests. It is used to read all the "users" that have a given relation to
-// a given object.
+// a given object. In this context, the "user" may not be the identity making requests to LXD. In OpenFGA, a "user"
+// is any entity that can be related to an object (https://openfga.dev/docs/concepts#what-is-a-user). For example, in
+// our model, `project` can be related to `instance` via a `project` relation, so `project:/1.0/projects/default` could
+// be considered a user. The opposite is not true, so an `instance` cannot be a user.
 //
 // Observations:
 //   - The input filter always has an object and a relation.
@@ -271,11 +274,13 @@ WHERE auth_groups_permissions.entitlement = ? AND auth_groups_permissions.entity
 
 		return nil
 	})
-	if err != nil && !api.StatusErrorCheck(err, http.StatusNotFound) {
+	if err != nil {
+		if !api.StatusErrorCheck(err, http.StatusNotFound) {
+			// If we have a not found error then there are no tuples to return, but the datastore shouldn't return an error.
+			return storage.NewStaticTupleIterator(nil), nil
+		}
+
 		return nil, err
-	} else if err != nil {
-		// If we have a not found error then there are no tuples to return, but the datastore shouldn't return an error.
-		return storage.NewStaticTupleIterator(nil), nil
 	}
 
 	// Return the groups as tuples relating them to the object via the relation.
@@ -298,7 +303,7 @@ WHERE auth_groups_permissions.entitlement = ? AND auth_groups_permissions.entity
 //
 // Observations:
 //
-// - This method appears to be called in three scenarios:
+// - This method appears to be called in four scenarios:
 //  1. Listing objects related to the server object via `server`.
 //  2. Listing objects related to project objects via `project`.
 //  3. Listing objects that a group is related to via an entitlement.